Procurement decision tree · verified June 2026

PAM Buying Guide 2026

A step-by-step decision tree for Privileged Access Management procurement. Starts from deployment preference, narrows through identity-suite consolidation and engineering-access scope to a 3-vendor shortlist per buyer profile.

Direct Answer

How do I shortlist PAM vendors in 2026?

Start from deployment preference (SaaS / self-hosted / appliance). Narrow on identity-suite consolidation (Okta / Microsoft Entra ID already in place). Add engineering-access scope (heavy SSH / Kubernetes / DB triggers Teleport / StrongDM / Boundary). Finalise on module scope (vault only / vault + session / full platform) to determine whether quote-only enterprise platforms are worth the procurement runway.

Step 1: Deployment preference

SaaS only. Keeper, JumpCloud, Okta, Teleport Cloud, Delinea Secret Server Cloud, Saviynt Identity Cloud, StrongDM.
Self-hosted required. Teleport Community, HashiCorp Boundary Community, ManageEngine PAM360, CyberArk PAS Vault, Delinea Secret Server on-prem.
Hardware appliance acceptable. Wallix Bastion, One Identity Safeguard, BeyondTrust B Series.

Step 2: Identity-suite consolidation

Already on Okta Workforce Identity. Add PAM via Essentials Suite ($17/user/mo) or Premium Suite ($28/user/mo). One contract.
Already on Microsoft Entra ID. Entra ID PIM is the workforce role activation tool; for full PAM coverage you still need a dedicated platform (CyberArk, BeyondTrust, Delinea, Saviynt).
No incumbent IdP. JumpCloud bundles directory + SSO + PAM in one contract ($24/user/mo Platform Prime).

Step 3: Engineering-access scope

Heavy SSH / Kubernetes / cloud-native. Teleport (Community free under qualifying scale, Enterprise quote-only), HashiCorp Boundary (Community free, paired with Vault), StrongDM (SaaS quote-only). These commonly sit alongside the central PAM platform.
Heavy database access from analysts and engineers. StrongDM has the strongest query-level audit; Teleport DB Access close behind.
Heavy Windows RDP / legacy Unix. CyberArk, BeyondTrust, Delinea, One Identity all stronger.

Step 4: Module scope

Vault only. Keeper Business ($3.75/user/mo) covers password vault for the whole org; KeeperPAM bundle adds session.
Vault + session. ManageEngine PAM360 ($7,995/yr Standard), JumpCloud Platform Prime ($24/user/mo).
Vault + session + secrets management. CyberArk + Conjur, HashiCorp Vault + Boundary, Delinea Secret Server + DevOps Secrets Vault.
Full platform (vault + session + secrets + endpoint privilege + analytics). CyberArk, BeyondTrust, Delinea, One Identity, Wallix, Saviynt, Segura.

Shortlist matrix per buyer profile

Buyer profile	Cheapest published shortlist	Add for full PAM
Engineering-led startup under 100 emp	Teleport Community + Keeper Business	None (free + $45/user/year)
SMB 100-300 admins	JumpCloud Platform Prime	Or Okta Essentials Suite
Mid-market 300-1,000 admins, on-prem	ManageEngine PAM360 Professional	Quote: Delinea, BeyondTrust
Mid-market 300-1,000 admins, SaaS	Okta Premium Suite + Teleport	Quote: Delinea, StrongDM
Enterprise above 1,000 admins, regulated	Okta as identity, plus quote-only PAM leader	CyberArk, BeyondTrust, Delinea, One Identity
EU enterprise wanting EU contract	Wallix + Okta or ManageEngine	Quote: One Identity (EU presence)

Common pitfalls

Comparing list prices to bundle quotes. Okta Essentials Suite at $17/user/mo includes PAM at 0.5 RU, but full Identity Governance pushes you to Premium at $28. Comparing $17 to a CyberArk quote that includes Endpoint Privilege Management plus Secrets Hub plus Conjur Secrets is apples-to-oranges.
Ignoring the Teleport Community Edition cap. Free now means commercial conversion the moment you cross 100 employees or $10M revenue.
Treating KeeperPAM as the headline rate. The headline $3.75/user/mo is Keeper Business password vault only; KeeperPAM bundle on top is quote-only.
Forgetting implementation services. Enterprise rollouts always carry a separate vendor or partner statement of work on top of the licence; the dollar figure is set in that SOW, not in any "industry typical" number we would invent.
Single-track procurement on quote-only vendors. Always run parallel published-pricing vendors as anchors.